PowerOn/gateway
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
gateway/modules/interfaces/serviceAppAccess.py
ValueOn AG ecf23255d2 base for integration test
2025-05-28 01:51:10 +02:00

189 lines
No EOL
7.5 KiB
Python
Raw Blame History

"""
Access control for the Application.
"""
from typing import Dict, Any, List, Optional
from datetime import datetime
from modules.interfaces.serviceAppModel import UserPrivilege, Session, User
class AppAccess:
"""
Access control class for Application interface.
Handles user access management and permission checks.
"""
def __init__(self, currentUser: User, db):
"""Initialize with user context."""
self.currentUser = currentUser
self.userId = currentUser.id
self.mandateId = currentUser.mandateId
self.privilege = currentUser.privilege
if not self.mandateId or not self.userId:
raise ValueError("Invalid user context: mandateId and userId are required")
self.db = db
def uam(self, table: str, recordset: List[Dict[str, Any]]) -> List[Dict[str, Any]]:
"""
Unified user access management function that filters data based on user privileges
and adds access control attributes.
Args:
table: Name of the table
recordset: Recordset to filter based on access rules
Returns:
Filtered recordset with access control attributes
"""
filtered_records = []
# Apply filtering based on privilege
if self.privilege == UserPrivilege.SYSADMIN:
filtered_records = recordset # System admins see all records
elif self.privilege == UserPrivilege.ADMIN:
# Admins see records in their mandate
filtered_records = [r for r in recordset if r.get("mandateId","-") == self.mandateId]
else: # Regular users
# Users only see records they own within their mandate
filtered_records = [r for r in recordset
if r.get("mandateId","-") == self.mandateId and r.get("createdBy") == self.userId]
# Add access control attributes to each record
for record in filtered_records:
record_id = record.get("id")
# Set access control flags based on user permissions
if table == "mandates":
record["_hideView"] = False # Everyone can view
record["_hideEdit"] = not self.canModify("mandates", record_id)
record["_hideDelete"] = not self.canModify("mandates", record_id)
elif table == "users":
record["_hideView"] = False # Everyone can view
record["_hideEdit"] = not self.canModify("users", record_id)
record["_hideDelete"] = not self.canModify("users", record_id)
elif table == "sessions":
# Only show sessions for the current user or if admin
if self.privilege in [UserPrivilege.SYSADMIN, UserPrivilege.ADMIN]:
record["_hideView"] = False
else:
record["_hideView"] = record.get("userId") != self.userId
record["_hideEdit"] = True # Sessions can't be edited
record["_hideDelete"] = not self.canModify("sessions", record_id)
elif table == "auth_events":
# Only show auth events for the current user or if admin
if self.privilege in [UserPrivilege.SYSADMIN, UserPrivilege.ADMIN]:
record["_hideView"] = False
else:
record["_hideView"] = record.get("userId") != self.userId
record["_hideEdit"] = True # Auth events can't be edited
record["_hideDelete"] = not self.canModify("auth_events", record_id)
else:
# Default access control for other tables
record["_hideView"] = False
record["_hideEdit"] = not self.canModify(table, record_id)
record["_hideDelete"] = not self.canModify(table, record_id)
return filtered_records
def canModify(self, table: str, recordId: Optional[int] = None) -> bool:
"""
Checks if the current user can modify (create/update/delete) records in a table.
Args:
table: Name of the table
recordId: Optional record ID for specific record check
Returns:
Boolean indicating permission
"""
# System admins can modify anything
if self.privilege == UserPrivilege.SYSADMIN:
return True
# Check specific record permissions
if recordId is not None:
# Get the record to check ownership
records = self.db.getRecordset(table, recordFilter={"id": recordId})
if not records:
return False
record = records[0]
# Admins can modify anything in their mandate
if self.privilege == UserPrivilege.ADMIN and record.get("mandateId","-") == self.mandateId:
# Exception: Can't modify Root mandate unless you are a sysadmin
if table == "mandates" and record.get("initialid") and self.privilege != UserPrivilege.SYSADMIN:
return False
return True
# Users can only modify their own records
if (record.get("mandateId","-") == self.mandateId and
record.get("createdBy") == self.userId):
return True
return False
else:
# For general table modify permission (e.g., create)
# Admins can create anything in their mandate
if self.privilege == UserPrivilege.ADMIN:
return True
# Regular users can create most entities
if table == "mandates":
return False # Regular users can't create mandates
return True
def validateSession(self, sessionId: str) -> bool:
"""
Validates a user session.
Args:
sessionId: ID of the session to validate
Returns:
Boolean indicating if session is valid
"""
try:
# Get session
sessions = self.db.getRecordset("sessions", recordFilter={"id": sessionId})
if not sessions:
return False
session = sessions[0]
# Check if session is expired
if datetime.now() > session["expiresAt"]:
return False
# Check if user has permission to access this session
if session["userId"] != self.userId and self.privilege not in [UserPrivilege.SYSADMIN, UserPrivilege.ADMIN]:
return False
# Update last activity
self.db.recordModify("sessions", sessionId, {
"lastActivity": datetime.now()
})
return True
except Exception as e:
logger.error(f"Error validating session: {str(e)}")
return False
def canAccessAuthEvents(self, userId: str) -> bool:
"""
Checks if the current user can access auth events for a specific user.
Args:
userId: ID of the user whose auth events to check
Returns:
Boolean indicating permission
"""
# System admins and admins can access all auth events
if self.privilege in [UserPrivilege.SYSADMIN, UserPrivilege.ADMIN]:
return True
# Regular users can only access their own auth events
return userId == self.userId
Reference in a new issue View git blame Copy permalink